From cf4991d6022d990604bb8175dc94b931e69617dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20R=C3=BChsen?= Date: Tue, 11 Nov 2014 17:56:09 +0100 Subject: [PATCH] Added OpenSSL support for --crl-file --- src/ChangeLog | 4 ++++ src/openssl.c | 16 ++++++++++++++++ testenv/ChangeLog | 4 ++++ testenv/certs/README | 23 ++++++++++------------- testenv/certs/ca-cert.pem | 23 +++++++++++------------ testenv/certs/server-cert.pem | 20 ++++++++++---------- testenv/certs/server-crl.pem | 18 +++++++++--------- 7 files changed, 64 insertions(+), 44 deletions(-) diff --git a/src/ChangeLog b/src/ChangeLog index 03d8ca79..19b49610 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,3 +1,7 @@ +2014-11-11 Tim Ruehsen + + * openssl.c (ssl_init): Load CRL file given by --crl-file + 2014-11-11 Tim Ruehsen * http.c (gethttp): Always add Accept-Encoding: identity diff --git a/src/openssl.c b/src/openssl.c index 6685ee7c..371913cb 100644 --- a/src/openssl.c +++ b/src/openssl.c @@ -254,6 +254,22 @@ ssl_init (void) SSL_CTX_set_default_verify_paths (ssl_ctx); SSL_CTX_load_verify_locations (ssl_ctx, opt.ca_cert, opt.ca_directory); + if (opt.crl_file) + { + X509_STORE *store = SSL_CTX_get_cert_store (ssl_ctx); + X509_LOOKUP *lookup; + int rc; + + if (!(lookup = X509_STORE_add_lookup (store, X509_LOOKUP_file ())) + || (!(rc = X509_load_crl_file (lookup, opt.crl_file, X509_FILETYPE_PEM)))) + { + logprintf (LOG_NOTQUIET, _("ERROR: Failed to load CRL file '%s': (%d)\n"), opt.crl_file, rc); + return false; + } + + X509_STORE_set_flags (store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); + } + /* SSL_VERIFY_NONE instructs OpenSSL not to abort SSL_connect if the certificate is invalid. We verify the certificate separately in ssl_check_certificate, which provides much better diagnostics diff --git a/testenv/ChangeLog b/testenv/ChangeLog index f743895c..3157dd92 100644 --- a/testenv/ChangeLog +++ b/testenv/ChangeLog @@ -1,3 +1,7 @@ +2014-11-11 Tim Ruehsen + + * recreated the certs and the CRL file, also amended certs/README + 2014-11-10 Tim Ruehsen * removed certs/wget-cert.pem diff --git a/testenv/certs/README b/testenv/certs/README index 979a3afd..ead573ba 100644 --- a/testenv/certs/README +++ b/testenv/certs/README @@ -1,6 +1,7 @@ To create the server RSA private key: $ certtool --generate-privkey --outfile server-key.pem --rsa + To create a self signed CA certificate: $ certtool --generate-privkey --outfile ca-key.pem $ certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca-cert.pem @@ -14,7 +15,7 @@ Country name (2 chars): Enter the subject's domain component (DC): This field should not be used in new certificates. E-mail: -Enter the certificate's serial number in decimal (default: 6079996172146959675): +Enter the certificate's serial number in decimal (default: 6080487640893163573): Activation/Expiration time. The certificate will expire in (days): -1 @@ -24,13 +25,11 @@ Does the certificate belong to an authority? (y/N): y Path length constraint (decimal, -1 for no constraint): Is this a TLS web client certificate? (y/N): Will the certificate be used for IPsec IKE operations? (y/N): -Is this a TLS web server certificate? (y/N): y -Enter a dnsName of the subject of the certificate: 127.0.0.1 +Is this a TLS web server certificate? (y/N): Enter a dnsName of the subject of the certificate: Enter a URI of the subject of the certificate: Enter the IP address of the subject of the certificate: -Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (Y/n): -Will the certificate be used for encryption (RSA ciphersuites)? (Y/n): +Enter the e-mail of the subject of the certificate: Will the certificate be used to sign other certificates? (y/N): y Will the certificate be used to sign CRLs? (y/N): y Will the certificate be used to sign code? (y/N): @@ -51,24 +50,23 @@ Country name (2 chars): Enter the subject's domain component (DC): This field should not be used in new certificates. E-mail: -Enter the certificate's serial number in decimal (default: 6079998890988883856): +Enter the certificate's serial number in decimal (default: 6080488276853553635): Activation/Expiration time. The certificate will expire in (days): -1 Extensions. Does the certificate belong to an authority? (y/N): -Is this a TLS web client certificate? (y/N): y +Is this a TLS web client certificate? (y/N): Will the certificate be used for IPsec IKE operations? (y/N): -Is this a TLS web server certificate? (y/N): -Enter a dnsName of the subject of the certificate: localhost +Is this a TLS web server certificate? (y/N): y Enter a dnsName of the subject of the certificate: 127.0.0.1 +Enter a dnsName of the subject of the certificate: localhost Enter a dnsName of the subject of the certificate: Enter a URI of the subject of the certificate: Enter the IP address of the subject of the certificate: -Enter the e-mail of the subject of the certificate: -Will the certificate be used for signing (required for TLS)? (Y/n): -Will the certificate be used for encryption (not required for TLS)? (Y/n): +Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (Y/n): +Will the certificate be used for encryption (RSA ciphersuites)? (Y/n): To create a CRL for the server certificate: @@ -78,4 +76,3 @@ Update times. The certificate will expire in (days): -1 CRL Number (default: 6080006793650397145): - diff --git a/testenv/certs/ca-cert.pem b/testenv/certs/ca-cert.pem index 61f93182..b516464d 100644 --- a/testenv/certs/ca-cert.pem +++ b/testenv/certs/ca-cert.pem @@ -1,21 +1,20 @@ -----BEGIN CERTIFICATE----- -MIIDXjCCAkagAwIBAgIIVGB8TiyN5TswDQYJKoZIhvcNAQELBQAwMDERMA8GA1UE +MIIDPjCCAiagAwIBAgIIVGI7SyiXCDUwDQYJKoZIhvcNAQELBQAwMDERMA8GA1UE AxMIR05VIFdnZXQxDTALBgNVBAsTBFdnZXQxDDAKBgNVBAoTA0dOVTAiGA8yMDE0 -MTExMDA4NTAyNFoYDzk5OTkxMjMxMjM1OTU5WjAwMREwDwYDVQQDEwhHTlUgV2dl +MTExMTE2MzczM1oYDzk5OTkxMjMxMjM1OTU5WjAwMREwDwYDVQQDEwhHTlUgV2dl dDENMAsGA1UECxMEV2dldDEMMAoGA1UEChMDR05VMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAv2IR1/gsaJsn+egtVFbMMMbivK+eVzPY8wEXb2flpe9a Kkwz824nSSrWfRigQmf/ODkNlK2x91kppfPmWkClUREQB3I4d/sHFnzqCkFKmNwt VT4DsL47VumgZF6ZjSqTYQD3MDH3VhFj1iKrRMM/aCZXwntD+67sKw6UPXfFbfUO Recpb7fCZPZFVFYStxgcF7cyH+DADLX5QCEjiLYH1es6FXrdw+ypgwBl+HuLkQ/4 gE0JLQK5PAKSYeLy0JEBUPovkMXT+r9aPkQBF/9WD6uUPia0ERHbMIT0My84hBrG -9d5u5gXPnH1ZxKIr8iJOYCydVjYndn21zs2IExwL6wIDAQABo3gwdjAPBgNVHRMB -Af8EBTADAQH/MBQGA1UdEQQNMAuCCTEyNy4wLjAuMTAdBgNVHSUEFjAUBggrBgEF -BQcDAQYIKwYBBQUHAwkwDwYDVR0PAQH/BAUDAwemADAdBgNVHQ4EFgQU8z5OOIRK -qb7Bb8dho1DabimL61QwDQYJKoZIhvcNAQELBQADggEBAEyG0E8RrSNfv9ZtqidB -9j660p8CynFDsX+hjfR1Sy4v5aUxxaA1spj/L5ioQXgjFKfht3zyPQBwLDSWNb41 -1yaGrPjwDfal/CWY1lJHGZGiEuxtZ32mMYNSUNBQk0t2P33NssdjdtJ8Tm9BZwqH -/NxHTi00MTQlG4L01KSAf7wJtapA1Ad6u6WAU+316EuTQ0eh7owOugaSIpCFgwQA -hq3SkUW8P2hL9ZYX0lGzaqE9oKm9dIvpfVPrWhbhnGMPR2X/7B8IgK84r3Eb1CF2 -3nysbcWH8BSxpN0d8oYPhUFi3jyV9InqFvEPxyMQ9MmtjDb4JpA6tkL6UwP77br6 -Th0= +9d5u5gXPnH1ZxKIr8iJOYCydVjYndn21zs2IExwL6wIDAQABo1gwVjAPBgNVHRMB +Af8EBTADAQH/MBMGA1UdJQQMMAoGCCsGAQUFBwMJMA8GA1UdDwEB/wQFAwMHBgAw +HQYDVR0OBBYEFPM+TjiESqm+wW/HYaNQ2m4pi+tUMA0GCSqGSIb3DQEBCwUAA4IB +AQCWKV1Txo3xytRSO1PwWK9ce5FhvQW9mubuuWmbEnQt9JaOhO1Og6ZmdPDlAQeo +m0CJZZ0VNeodoBXPGopy3VyzF4ZzUR9leGk3sb1qTSoDCvJd/zLrfukHKugtwuK0 +b1fPnEjBjQ6gQI21coc1tmyX8Qsm7of5n+Ji601WG+FiVmmdEsCjmA/eAvwSbu1E +cAVH476KUt4CrpVPQQVqzFPDz8i4iw/P+Jo+iNmL5S72OG2GfkSJq3XkUYa509W6 +N+8c3p4y0q/PcQ92s1OIHyEPZFRFhm4xw0sHkhD2KVoHseHZjCoYn4/lIzMPnJ6v +EfZUJQXndeJnffbthaUp8Ea2 -----END CERTIFICATE----- diff --git a/testenv/certs/server-cert.pem b/testenv/certs/server-cert.pem index 73e9bba3..4ce3886c 100644 --- a/testenv/certs/server-cert.pem +++ b/testenv/certs/server-cert.pem @@ -1,7 +1,7 @@ -----BEGIN CERTIFICATE----- -MIIDgDCCAmigAwIBAgIIVGB+xzQpT5AwDQYJKoZIhvcNAQELBQAwMDERMA8GA1UE +MIIDgDCCAmigAwIBAgIIVGI73zrIeeMwDQYJKoZIhvcNAQELBQAwMDERMA8GA1UE AxMIR05VIFdnZXQxDTALBgNVBAsTBFdnZXQxDDAKBgNVBAoTA0dOVTAiGA8yMDE0 -MTExMDA5MDA1OVoYDzk5OTkxMjMxMjM1OTU5WjAxMRIwEAYDVQQDEwkxMjcuMC4w +MTExMTE2NDAwMFoYDzk5OTkxMjMxMjM1OTU5WjAxMRIwEAYDVQQDEwkxMjcuMC4w LjExDTALBgNVBAsTBFdnZXQxDDAKBgNVBAoTA0dOVTCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBAMjC3Gt55EfStl6mE371+pD3/cpR5MLxkdbBss5MlIP2 TDhiPOItLXml8oxs4BjUm3wfn3GV9iJLmbzbIWL+0kbRkQ2LCPKUf+Cln3z2ZE+r @@ -9,13 +9,13 @@ XwdWlT8gVfv51Opfkp2lLDVUqLfNKRGQgivjSCmLqY2LqeB0SaVNvuaD3EpqZyIH 0E5SZgjqBHgRRtvGkcy0rOmp5SI2NASLugUioXa9OLWjpYDwodsd3ERlL0DJ1aJW 8TC8Tqix4i0osWzar+LXBIin0Qvar9/uRHN0p1kq3p0XgNHKqWpiTT54+WYx7Pem v4qRXz11swiJzUL+Pw1DurQ9smbzDgAsz7V2FJnUeCcCAwEAAaOBmDCBlTAMBgNV -HRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMB8GA1UdEQQYMBaCCWxvY2Fs -aG9zdIIJMTI3LjAuMC4xMA8GA1UdDwEB/wQFAwMHoAAwHQYDVR0OBBYEFJfm323L +HRMBAf8EAjAAMB8GA1UdEQQYMBaCCTEyNy4wLjAuMYIJbG9jYWxob3N0MBMGA1Ud +JQQMMAoGCCsGAQUFBwMBMA8GA1UdDwEB/wQFAwMHoAAwHQYDVR0OBBYEFJfm323L JbKTM/tMKSt0qlUqewbnMB8GA1UdIwQYMBaAFPM+TjiESqm+wW/HYaNQ2m4pi+tU -MA0GCSqGSIb3DQEBCwUAA4IBAQBeRV2kMWuksna/E6hqcQ5C76UFq9RDcvxIoJQ/ -2ANywD+EcQYyBNSSL+yyv6/Pp9gXlqjciYdb3OgdPb++3y/UC6IxkeFv1uNDwJfS -HVX9avm12CXfZt4zMrq1GQX4gjJ9jkItMCY4atdyAQROGnzDWzNuwSWaasL3oUPT -qDUMHZR2kH2cIr9S07YT/8RslMdlMgeI4Y9JCGuRspgxwnDtM5L3vZEnGsud7DSa -1/8LGiYydNIpCikwd2Pzdwp9G8mm7AExU3AsXPCyYxDWWjfyhBjTY+5aR57igNeB -CaP+xoDNilbJ/RM+0Ygv/ue7gY49f8nESQP+0HQVborwl3h2 +MA0GCSqGSIb3DQEBCwUAA4IBAQCDmuSD4IGmn0UQ5jhGQquh92Iu59j64Rrg7EIM +zoppciyYR8gDUutOI9CEisxJz6umvAdOo5L981gcFaBv6hHWaE/krAZccR+ZXZP6 +fI9btO8My8O63fYcd2KkLEFqvKDF43i01S2LrqXdPo3uELbFZwxCmUKsexFGsoW1 +CbXbRjnS7w/f72myRmvBeDiNMuGfe1lb4IflybH3DMlKC7i0AN1JKglp+IKn5XAE +neWR03i3UaYJsibIxj0DkTS+hVPu5MXQ9RlF5CkRdFKjGinLE/u70XyAyx0/IeAN +e7c2MJvpdfRmTXm2ew4sNyK9RXo7Bv0Yqkl65iMscF8LNnxL -----END CERTIFICATE----- diff --git a/testenv/certs/server-crl.pem b/testenv/certs/server-crl.pem index ee2082c4..39c1919f 100644 --- a/testenv/certs/server-crl.pem +++ b/testenv/certs/server-crl.pem @@ -1,12 +1,12 @@ -----BEGIN X509 CRL----- MIIB1DCBvQIBATANBgkqhkiG9w0BAQsFADAwMREwDwYDVQQDEwhHTlUgV2dldDEN -MAsGA1UECxMEV2dldDEMMAoGA1UEChMDR05VGA8yMDE0MTExMDA5MzUyMVoYDzk5 -OTkxMjMxMjM1OTU5WjAdMBsCCFRgfsc0KU+QGA8yMDE0MTExMDA5MzUyMVqgNjA0 -MB8GA1UdIwQYMBaAFPM+TjiESqm+wW/HYaNQ2m4pi+tUMBEGA1UdFAQKAghUYIba -N/WqiDANBgkqhkiG9w0BAQsFAAOCAQEALV862K6ErgDdHKVag2mibcyguI83mPUm -AhkbZ0vUFIjf39kDwXfBdGjQPPRilAM+2nraN7UTZs6y+2UDTbavaOpn5YFEoP5f -Z6AN+PMEVi8QfkpQHIRJPVg1noJMBU+KgqGvzg7pCpzD8WyrH/4AAmuQoD18YndP -SQGmTvsap3nCQPtCcGnONbdvqlHF47toy9nYz+4auS+RpEPiUa9YT5zNOwQwlQg5 -cgdbkheEqN3SLeTAxvDSVaHbVEr2U7rsR8ckMNXE0xgNuDmvIiTiqps+e2oE88Ii -421c+VGZE4LE5NeETIk8V4drxbdYZpwRB2/BzmDwKhMAB8WBIH2sFA== +MAsGA1UECxMEV2dldDEMMAoGA1UEChMDR05VGA8yMDE0MTExMTE2NDU1NFoYDzk5 +OTkxMjMxMjM1OTU5WjAdMBsCCFRiO986yHnjGA8yMDE0MTExMTE2NDU1NFqgNjA0 +MB8GA1UdIwQYMBaAFPM+TjiESqm+wW/HYaNQ2m4pi+tUMBEGA1UdFAQKAghUYj1E +KHs9ijANBgkqhkiG9w0BAQsFAAOCAQEAZgwqs1VOFG39dFHHMXvBr4eJfhwiG4bC +cL6IvLhvl9ikcyQMHrpOBtNjkCtgclSbJjjTDdera1+zuCWE0WBOJ4mojYdAIOhR +QvSwp4NwAtibu2F/fjeXoo+LEpcRKtLvAotB30eCZ1OPrijsa/HxFILOLlayjns8 +wM4RmQC4o43y1G/1jqM8hGDg4Wz0j1URVuyP+pU55JpubV5LlExy3gIRwevD2lam +q3hiighenJYFO3HGZkYT2SIoSpXZnQqKPJ4HwRBSg/cjOpc1y1lIIvKhmk+Cut6M ++S5HL4pIk8vGYg57nTfOOkj1goqFkfU0DBqvVAZj02ay/VIDu61T1g== -----END X509 CRL-----